SEH not catching AV raised from ProbeForRead

OSR_Community_User · October 9, 2006, 9:29am

I’m trying to hook IoCreateFile in order to log opening files.
(I know the correct way should be to write a file system filter driver, but that’s not an option for now)
The following code works fine without problem in win 2K (I see the debug message from __except block),
but always gives me BSOD in win XP (SP2). The crash dumps tell me that the BSODs were caused by
Access Violation raised by ProbeForRead. AV is raised whenever ObjectAttributes was a kernel pointer
(I know ProbForRead/Write is supposed to work this way), and that’s the reason for enclosing ProbeForRead
in __try/__except block; but why isn’t the exception handler executed?

It’s strange that I have similar codes in other function hooks and they don’t cause problems; only this one does.

NTSTATUS NTAPI
Detour_IoCreateFile(PHANDLE FileHandle, ACCESS_MASK…)
{
if( ObjectAttributes && FileHandle ){
__try {
ProbeForRead(ObjectAttributes, sizeof(OBJECT_ATTRIBUTES), sizeof(UCHAR) ); <--------BSOD here!!
if( ObjectAttributes->ObjectName ){
ProbeForRead(ObjectAttributes->ObjectName, sizeof(UNICODE_STRING), sizeof(UCHAR) );
if( ObjectAttributes->ObjectName->Length && ObjectAttributes->ObjectName->Buffer){
ProbeForRead(ObjectAttributes->ObjectName->Buffer, ObjectAttributes->ObjectName->Length, sizeof(UCHAR) );

// Look at what file is to be openned…

}
}
}
__except( EXCEPTION_EXECUTE_HANDLER ){
KdPrint( (“BCGHLP: IoCreateFile() Exception!\n”) );
}
}

return Real_IoCreateFile(FileHandle, …);
}

Maxim_S_Shatskih · October 12, 2006, 4:49pm

Write a normal FS filter or minifilter and forget hooking. Also, I think
hooking will not be supported in Vista 64 at all.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Monday, October 09, 2006 5:32 PM
Subject: [ntdev] SEH not catching AV raised from ProbeForRead

> I’m trying to hook IoCreateFile in order to log opening files.
> (I know the correct way should be to write a file system filter driver, but
that’s not an option for now)
> The following code works fine without problem in win 2K (I see the debug
message from __except block),
> but always gives me BSOD in win XP (SP2). The crash dumps tell me that the
BSODs were caused by
> Access Violation raised by ProbeForRead. AV is raised whenever
ObjectAttributes was a kernel pointer
> (I know ProbForRead/Write is supposed to work this way), and that’s the
reason for enclosing ProbeForRead
> in__try/__except block; but why isn’t the exception handler executed?
>
> It’s strange that I have similar codes in other function hooks and they don’t
cause problems; only this one does.
>
> NTSTATUS NTAPI
> Detour_IoCreateFile(PHANDLE FileHandle, ACCESS_MASK…)
> {
> if( ObjectAttributes && FileHandle ){
>__try {
> ProbeForRead(ObjectAttributes, sizeof(OBJECT_ATTRIBUTES),
sizeof(UCHAR) ); <--------BSOD here!!
> if( ObjectAttributes->ObjectName ){
> ProbeForRead(ObjectAttributes->ObjectName,
sizeof(UNICODE_STRING), sizeof(UCHAR) );
> if( ObjectAttributes->ObjectName->Length &&
ObjectAttributes->ObjectName->Buffer){
> ProbeForRead(ObjectAttributes->ObjectName->Buffer,
ObjectAttributes->ObjectName->Length, sizeof(UCHAR) );
>
> // Look at what file is to be openned…
>
> }
> }
> }
> __except( EXCEPTION_EXECUTE_HANDLER ){
> KdPrint( (“BCGHLP: IoCreateFile() Exception!\n”) );
> }
> }
>
> return Real_IoCreateFile(FileHandle, …);
> }
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer